Updated : 12 September 2019
Our objective, in the development and implementation of this Information Security Policy ("ISP"), is to create effective administrative, technical and physical safeguards for the protection of Private Customer Application Data of Pixie Labs’ Customers and the prevention of unauthorized access, use or dissemination of Private Customer Application Data from Pixie Labs Inc.
2. Private Customer Application Data
For purposes of this ISP, "Private Customer Application Data" means information sent to Pixie Labs’ Data Collection Services by a Pixie Labs’ Customer’s application (e.g. API messages) and subsequent processed data, including as presented on the Pixie Labs Dashboard (e.g. Dashboard metrics) that can be used to derive material insight about a particular customer’s application.
- Ensure the security and confidentiality of Private Customer Application Data;
- Protect against any anticipated threats or hazards to the security or integrity of such information.
- Protect against unauthorized access to or use of such information in a manner that creates a substantial risk of unwanted public exposure.
- Identify reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing Private Customer Application Data;
- Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of the Private Customer Application Data;
- Evaluate the sufficiency of existing policies, procedures, customer information systems, and other safeguards in place to control risks;
- Design and implement an ISP that puts safeguards in place to minimize those risks; and
- Regularly monitor the effectiveness of those safeguards.
We have designated Zain Asgar, as the "Data Security Coordinator" to implement, supervise and maintain the ISP. The "Data Security Coordinator" is responsible for:
- Implementation of the ISP;
- Training employees;
- Regular testing of the ISP's safeguards;
- Evaluating the ability of each of our third-party service providers to implement and maintain appropriate security measures for the Private Customer Application Data to which we have permitted them access; and requiring such third-party service providers to implement and maintain appropriate security measures;
- Reviewing the scope of the security measures in the ISP at least annually, or whenever there is a material change in our business practices that may implicate the security or integrity of records containing Private Customer Application Data;
- Conducting an annual training session for all managers, employees and independent contractors, including temporary and contract employees who have access to Private Customer Application Data on the elements of the ISP. All attendees at such training sessions are required to certify their attendance at the training, and their familiarity with the firm's requirements for ensuring the protection of Private Customer Application Data.
6.Storage of Information at Pixie Labs Inc.
Physical Records: Records containing Private Customer Application Data (as defined above) must be stored in locked facilities, secure storage areas or locked containers.
Electronic Records: To the extent technically feasible, the following security protocols must be implemented:
- Secure Control of user IDs and other identifiers;
- A reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
- Control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
Restricting access to active users and active user accounts only; and user authentication protocols including:
- Restrict access to records and files containing Private Customer, Application Data to those who need such information to perform their job duties; and
- Assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;
Encryption of the following:
- All transmitted records and files containing Private Customer
- Application Data that will travel across public networks, and encryption of all data containing Private Customer Application Data to be transmitted wirelessly; access control measures that:
- All Private Customer Application Data stored on mobile laptops or other portable devices that leave Pixie Labs’ sites;
- Reasonable monitoring of systems, for unauthorized use of or access to Private Customer Application Data; For files containing Private Customer Application Data on a system that is connected to the Internet, there must be reasonably up-to-date intrusion protection and operating system security patches, reasonably designed to maintain the integrity of the Private Customer Application Data;
Access to Information: Access to records containing Private Customer Application Data shall be restricted to current employees who are reasonably required to know such information in order to accomplish Pixie Labs Inc’s legitimate business purpose or to enable the company to comply with legal requirements. Records containing Private Customer Application Data shall only be removed from a Pixie Labs site with specific authorization from the Data Security Coordinator. Employees who have access to Private Customer Application Data will lock their computers at the operating system level when not in use and they are away from their computer. Visitors' to Pixie Labs Inc’s sites where Private Customer Application Data is stored shall not be permitted to visit any area of the premises that contains Private Customer Application Data unless they are escorted by a Pixie Labs’ employee, or agent. Employees are encouraged to report any suspicious or unauthorized use of Private Customer Application Data.
Transmission of Information: To the extent technically feasible, all records and files containing Private Customer Application Data which are transmitted across public networks or wirelessly should be encrypted. Employees are advised against keeping open files containing Private Customer Application Data on their desks or in their work areas when they are not at their desks. At the end of the work day, all files and other records containing Private Customer Application Data must be secured in a manner consistent with this policy.
Disposition/Destruction of Information: Paper and electronic records containing Private Customer Application Data must be disposed of by shredding or equivalent destruction of paper records and/or destruction or erasure of the physical medium on which data is stored in accordance with Pixie Labs Inc’s Document Retention and Destruction Policy available to all Pixie Labs administrators. Terminated employees must return all records containing Private Customer Application Data, in any form, which may at the time of such termination be in the former employee's possession (including all such information stored on laptops or other portable devices or media, and in files, records, work papers, etc.)
A copy of this ISP will be distributed to each employee, (as well as consultants and vendors as appropriate), who will have access to Private Customer Application Data. All such persons shall, upon receipt of the ISP, acknowledge in writing that he/she has received, read and understood the ISP. When the ISP is first issued, there will be training of employees and temporary employees who have access to Private Customer Application Data on the detailed provisions of the policy. All employees shall be retrained regularly. All attendees at such training sessions are required to certify their attendance at the training and their familiarity with the company's policy and procedures for the protection of Private Customer Application Data.
Violations of the policy will be met with disciplinary action up to and including termination of employment. The nature of the disciplinary measures will depend on a number of factors including the nature of the violation. Employees should report a suspected violation by notifying the Data Security Coordinator who will contact legal counsel, as appropriate.
9. Breaches of the Policy
Whenever there is an incident that requires notification to government or other authorities, legal counsel shall be notified and there shall be an immediate post- incident review of events and actions taken, if any, with a view to determining whether any changes in the security practices are required to improve the security of Private Customer Application Data for which Pixie Labs is responsible. Any breach of the policy will be logged, as will the actions taken in response to the breach. Such log will be provided to Pixie Labs’ legal counsel.
10. Third Parties
The contents of this ISP will apply to third parties who are intended to receive, and process Private Customer Application Data and a similar policy or contractual restrictions must be in place before any such information is shared with them.
Any exceptions to this policy require prior written authorization and approval from the Data Security Coordinator or legal counsel.